World's oddly relaxed about recent CSRF bypass in csurf express middleware. It does require cookie tossing which limits the blast radius but for multi-tenant apps using subdomains it could be deadly -> fortbridge.co.uk/research/cs….
Sep 5, 2022 · 10:44 AM UTC
If you're an expressjs.com/ user - it's time to hunt for another CSRF protection library or write your own😱